Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

CERT, Feds Consider New Reporting Process

WEBINAR:On-Demand

Government officials and private organizations alike are reviewing their vulnerability disclosure processes after several incidents over the past 10 days exposed major shortcomings in the way new bugs are handled.

The most dramatic case for change came early last week when an anonymous member of a security mailing list posted three unpublished vulnerability advisories. None of the advisories had been released by the authors—or by a third party such as the CERT Coordination Center—who typically handle such announcements. The posts were taken from advance copies of the advisories that CERT had shared with a select group of software vendors, something that has angered CERT officials.

"We know that the text was taken directly from messages we shared with the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT, based at Carnegie Mellon University, in Pittsburgh. "Weve always believed that the vendors need advance notice. But in this case, someone with access decided to [go] public."

CERT is now considering whether changes can be made to its process for handling vulnerabilities. The federal government, meanwhile, is discussing ways to centralize vulnerability reporting.

Further reading

The government is considering a plan to establish a single point of contact for vulnerability reporting; researchers would submit discoveries to the contact. The government would then work with the researcher and the affected vendors to coordinate release of the information.

The hope is to avoid leaks and to speed vendor response to security problems. However, the Information Assurance and Infrastructure Protection division of the Department of Homeland Security is still without a leader, clogging any major initiatives, insiders said.

While the Bush administration has found it difficult to fill the top information security job, sources say Bob Liscouski, director of information integrity and assurance at The Coca-Cola Co., in Atlanta, is slated to take the job of assistant undersecretary for IAIP.

Officials at DHS did not respond to requests for comment.

WINDOWS OF VULNERABILITY

Timeline of events in leaked vulnerability reports:

March 15 OpenSSL and Kerberos advisories leaked

March 16 Sun XDR advisory leaked

March 17 Kerberos advisory and patch officially released

March 19 Sun XDR advisory officially released

The trouble began when a member of the Full-Disclosure mailing list posted three vulnerability reports. Only one of the problems had been disclosed previously, and patches were not yet available. All the advisories detailed the vulnerabilities and affected products.

All the vulnerability reports were serious. The first, posted March 15, warned of a cryptographic weakness in the popular Kerberos protocol. The second message discussed a timing attack on cryptographic keys. The third, posted March 16, concerned a problem in a code library contained in Unix-based software from Sun Microsystems Inc. and other vendors. The Kerberos bulletin was officially released March 17; the details of the timing attack were published on another Web site the previous Friday.

The Sun advisory was not released until late Wednesday.

CERTs Hernan estimated there are about 50 vendors that had access to all three vulnerability reports. The person who posted the advisories to the Full-Disclosure list used an anonymous, secure e-mail service, Hushmail, which makes it hard to track the individual down.

Latest Security News:

Search for more stories by Dennis Fisher.Find white papers on security.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.